Cyber Attacks, Threats, and Vulnerabilities
China compromised US companies with malicious microchips. Here are answers to your questions (Washington Examiner) On Thursday, Bloomberg reported that the Chinese military had successfully implanted malicious microchips in motherboards used by almost 30 U.S. companies as well as intelligence agencies.
The Big Hack: Statements From Amazon, Apple, Supermicro, and the Chinese Government (Bloomberg) In emailed statements, Amazon, Apple, and Supermicro disputed summaries of Bloomberg Businessweek’s reporting. Their statements are published here in full, along with one from a Chinese foreign ministry spokesperson.
National Cyber Security Centre backs Apple and Amazon after Chinese hacking claims (CRN) Bloomberg yesterday reported that servers bought by 30 global firms, including Apple and Amazon, were carrying tiny chips planted by the Chinese government
The Worst Hack in Science Fiction Has Allegedly Already Happened in Real Life (Motherboard) Chinese hackers planted a malicious chip into computer equipment used by a slew of US companies, including Apple and Amazon, according to a report from Bloomberg Businessweek.
China’s Big Hack Has Big Implications (Boomberg) It ratchets up international tensions and exposes the global supply chain’s vulnerability.
It is the End of the World as We Know It. So What's Next? (SANS Internet Storm Center) Update: Supermicro is denying this report, and issued a statement . Without any additional evidence, it is difficult to decide who is right. Information about a problem like this would likely be highly guarded at Supermicro and only known to a small group within the company. We will have to see what evidence will emerge about this moving forward.
There's No Good Fix If the Supply Chain Gets Hacked (WIRED) A blockbuster report from Bloomberg says that China has compromised servers used by major US companies. It's a problem that experts have long feared, and still don't know how to resolve.
Computer Networks Are Now Permanently Hackable. Have Fun With That. (Bloomberg Opinion) The web of parts makers, assemblers, testers and contractors is almost impossible to untangle.
Risky Business feature: A podcast on Bloomberg's absolutely wild Supermicro story (Risky Business) Risky Business feature: A podcast on Bloomberg's absolutely wild Supermicro story
Bloomberg’s spy chip story reveals the murky world of national security reporting (TechCrunch) Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary… or it’s not, and a lot of people screwed up. To recap, Chinese spies reported…
West accuses 'pariah state' Russia of global hacking campaign (Reuters) Western countries issued coordinated denunciations of Russia on Thursday for run...
UK pins 'reckless campaign of cyber attacks' on Russian military intelligence (Register) We know it was GRU
How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims (WIRED) A new indictment details how Russian agents camped outside hotels when remote hacking efforts weren't enough.
How Russian spies allegedly hacked organizations across the world (Fifth Domain) How seven Russian intelligence officials allegedly nestled into the servers of targeted organizations is an insight into the advanced hacking efforts that foreign governments are undertaking.
GRU Officers Allegedly Hacked Wi-Fi Networks Worldwide (Infosecurity Magazine) Plan B meant physically travelling to targets, claims US indictment
This Russian cyberattack would be hilarious were the GRU not so sinister (Times) Russia is intensely proud of its espionage history. From the Bolshevik Cheka, through Stalin’s vicious NKVD, the KGB and now President Putin’s modern intelligence agencies, this is a country that...
'Cyberspace is not the Wild West': Australia targets Russian government over spate of attacks (The Sydney Morning Herald) Australia has joined allies in condemning an "indiscriminate and reckless" global campaign of cyber attacks.
Canada Says it Was Targeted by Russian Cyber Attacks (SecurityWeek) Canada said it too was targeted by Russian cyber attacks, citing breaches at its center for ethics in sports and at the Montreal-based World Anti-Doping Agency.
Alleged operations by Russia's GRU in recent years (New Zealand Herald) In a series of coordinated announcements, authorities in United States, Britain, The Netherlands and
Kremlin derides ‘hysteria’ over hacking of chemical weapons watchdog (Times) The Kremlin hit back at Western allegations of cyberattacks today, insisting the accusations were rooted in anti-Russian prejudice and “spy mania.” Moscow has furiously denied that officers from...
Russia claims US is running a secret bio weapons lab in Georgia (Military Times) Russian general says it's part of a network of U.S. labs near Russia and China, but the Pentagon strongly rejects the claim.
The DNC Hacker Indictment: A Lesson in Failed Misattribution (SecurityWeek) Studying the DNC Hacker case shows just how difficult it is to maintain a false identity in the face of a highly resourced and motivated opponent.
China slams Mike Pence's 'ridiculous' US meddling claims (Deutsche Welle) Beijing has decried accusations made by US Vice President Mike Pence, who claimed China is working to undermine President Donald Trump. Pence spoke of an "unprecedented effort" to influence American voters.
China's Influence Operations Are Pinpointing America's Weaknesses (Foreign Policy) From Iowa to Louisiana, Beijing has mapped out the pressure points of U.S. politics.
White House Adviser: Iran Is 'Central Banker' For Terrorism (RadioFreeEurope/RadioLiberty) U.S. President Donald Trump's national security adviser has called Iran "the central banker of international terrorism" as he laid out a wider strategy for countering Tehran in the Middle East.
Fake News Domains Spoof UK News Sites (Infosecurity Magazine) Typo-squatting found on nearly 200 domains
'Active and Dangerous' North Korean Hacking Group Is Behind Theft of $100 Million, Security Firm Warns (Fortune) APT38 is responsible for the theft since 2014, says FireEye's threat report.
DHS Warns of Attacks on Managed Service Providers (SecurityWeek) The DHS issued an alert on ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).
Advanced Persistent Threat Activity Exploiting Managed Service Providers (US-CERT) MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may
D-Link Central WiFiManager Software Controller Multiple Vulnerabilities (Core Security) 1. Advisory InformationTitle: D-Link Central WiFiManager Software Controller Multiple VulnerabilitiesAdvisory ID: CORE-2018-0010Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilitiesDate published: 2018-10-04Date of last update: 2018-10-04
Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft (BleepingComputer) A new Office 365 phishing attack utilizes an interesting method of storing their phishing form hosted on Azure Blob Storage in order to be secured by a Microsoft SSL certificate.
Recipe Unlimited denies ransomware attack, despite alleged ransom note (CSO Online) Recipe Unlimited denies a ransomware attack impacted nine restaurant brands, despite an alleged ransom note that shows the bitcoin ransom demand ticking up daily.
How do cyber-criminals use credential phishing attacks to steal vital business data? (Silicon Republic) More and more organisations are falling victim to credential phishing attacks, according to Menlo Security.
The Origin of Ransomware and Its Impact on Businesses (Radware Blog) As ransomware continues to become more widespread, companies will need to revise their annual cybersecurity goals while focusing on the appropriate implementation of ransomware resilience, recovery plans and commit adequate funds for cybersecurity resources in their IT budgets.
BEC-as-a-Service: Hacked accounts available from $150 (Help Net Security) For criminals looking to outsource their work, BEC-as-a-Service is widely available for as little as $150 – with results available in a week or less.
Passports on the dark web: how much is yours worth? (Comparitech) In 2018, Comparitech searched listings on several illicit marketplaces to find out how much passports are worth on the dark web, both digital and physical.
Instagram prototypes handing your location history to Facebook (TechCrunch) This is sure to exacerbate fears that Facebook will further exploit Instagram now that its founders have resigned. Instagram has been spotted prototyping a new privacy setting that would allow it to share your location history with Facebook. That means your exact GPS coordinates collected by Instag…
Fin7 Hackers Breached US Chain Burgerville (Infosecurity Magazine) Fast food restaurant customers were exposed for a year
Security Patches, Mitigations, and Software Updates
Google Turns on G Suite Alerts for State-Sponsored Attacks (SecurityWeek) After rolling out an option for G Suite administrators to receive alerts on suspected government-backed attacks on their users’ accounts, Google is now turning those alerts on by default.
Heading into October Patch Tuesday on the heels of big announcements from Microsoft (Help Net Security) In this October Patch Tuesday 2018 preview, Chris Goettl, Manager of Product Managment, Security at Ivanti, discusses what we can expect.
Cyber Trends
Bruce Schneier's Click Here to Kill Everybody reveals the looming cybersecurity crisis (CSO Online) Everything is broken, and government and corporations like it that way. But when people start dying because of insecure cyberphysical systems, the overreaction from panicked policymakers could be worse than after 9/11.We need to solve this problem now, Bruce Schneier argues in his new book.
Bitglass 2018 Financial Services Breach Report: Number of Breaches in 2018 Nearly Triple That of 2016 (GlobeNewswire News Room) Malware and Hacking Responsible for Nearly Three Quarters of All Breaches in 2018
Financial services breaches nearly triple in two years - Bitglass (Security Brief) “Financial organisations regularly handle sensitive, regulated data like home addresses, bank statements and Social Security numbers.”
WhiteHat Application Security Report is a Call to Arms for DevOps Teams (BusinessWire) WhiteHat Security, the leading application security provider committed to securing digital businesses, today released its 2018 Application Security St
Most enterprises highly vulnerable to security events caused by cloud misconfiguration (Help Net Security) A survey of more than 300 IT professionals revealed that most enterprises are highly vulnerable to security events caused by cloud misconfiguration.
Identity fraudsters are getting better and better at what they do (Help Net Security) Socure, a provider of predictive analytics for digital identity verification, found that fraudsters have virtually eliminated reliable indicators for
Payment card security compliance on the decline (Retail Customer Experience) A Verizon security report reveals that payment security compliance has dropped for the first time in six years, and businesses are more vulnerable to cybercrime. The Verizon 2018 Payment Security Report, according to a press release, highlights a crucial need...
Marketplace
Perch Security Secures $9 Million Series A Funding Led by ConnectWise, Inc. (PR Newswire) Perch Security, the cybersecurity company that combines self-service threat intelligence tools with a managed...
Randori Secures $9.75M to Build the First Nation-State Caliber Attack Platform (BusinessWire) Randori launches the industry's first nation-state caliber attack platform to give a real-time understanding of how attackers view an organization.
Autonomous cybersecurity company Hmatix announces $500K in seed funding (Help Net Security) Hmatix is a cybersecurity solution that secures industrial IoT endpoints with autonomous protection, detection and response.
BakerHostetler Further Strengthens its Globally Recognized Privacy and Data Protection (BakerHostetler) Sarah (Xiaohua) Zhao brings broad transactional experience and knowledge of both the Chinese and American regulatory landscapes to her high-tech practice.
Products, Services, and Solutions
Ivanti Expands Portfolio to Include Self-Service Password Management Solution (Ivanti) New Ivanti Password Director Reduces the Burden on IT by providing end users with a fast, secure way to reset their passwords and unlock their accounts, while enforcing a strong password policy
Wickr Announces General Availability of Anti-Censorship Tool (SecurityWeek) Wickr has announced the general availability of its secure open access protocol to circumvent censorship for all Wickr Me and Wickr Pro (via admin console) users.
Passware Kit: Forensic software recovers passwords for Bitcoin wallets (Help Net Security) Passware Kit recovers passwords for popular Bitcoin wallet services: Blockchain.com (known previously as Blockchain.info) and Bitcoin Core.
Waratek Secure provides protection against attacks and zero days (Help Net Security) Waratek Secure is a new runtime agent that blocks and detects attacks using a deterministic approach to safeguard web applications from Zero Day attacks.
ObserveIT brings new insider threat detection features to market (Help Net Security) ObserveIT 7.6 includes the addition of FAM (File Activity Monitoring), a solution for data exfiltration detection and prevention.
This Firm Wants To Launch A Cyber Attack On Your Business (Forbes) Randori founders David Wolpoff and Brian Hazzard want to change the way penetration testing is done with what they call a “nation state calibre” cyber-attack platform
Viasat (VSAT) Introduces New Cybersecurity Software Solution (Zacks Investment Research) Viasat's (VSAT) latest cybersecurity software is currently available to the naval and maritime customers in the United States, Australia, Canada, New Zealand and the United Kingdom.
How Starbucks is using Splunk to automate mundane security tasks (ComputerWeekly.com) Coffee giant Starbucks is using Splunk to automate some of its more boring security tasks to reduce the workload for its cyber staff
Technologies, Techniques, and Standards
Improving Security Operations Through Collaboration (SecurityWeek) Collaboration holds the key to improved time to detection and response, so teams can better address the concerns that permeate the organization when a large-scale attack happens.
Four Things to Consider When Evaluating IPS Solutions (SecurityWeek) To ensure that your existing IPS solution doesn’t become a weak link in your security strategy, you should be constantly tracking and evaluating its effectiveness—especially older, legacy solutions.
How the Pentagon can help improve supply chain cybersecurity (C4ISRNET) Thomas Michelli, the Pentagon's acting deputy chief information officer for cybersecurity, talks supply chain risks, identification cards,artificial intelligence and staffing in this Q&A.
After Facebook's hack, there's a lot of useless post-breach advice (CNET) Thank you, Capt. Hindsight.
How Ashley Madison Recovered From Its Massive Data Breach (eWEEK) At SecTor, the CISO of Ruby Life, the parent company of breached infidelity website Ashley Madison, details the steps the company has taken to improve security.
Cyber security should become part of a firm’s culture – Irish deputy governor (Central Banking) Warnings must not get diluted as they pass up the chain, Sibley says
Don't ever use a VPN without paying attention to these five things (HackRead) Ryan Lin was just recently sentenced to 17 years in prison. He was sentenced for committing a range of crimes including cyberstalking, computer fraud and abuse, aggravated identity theft, and distribution of child pornography. These are all serious crimes that I in no way support or condone, but why am I particularly interested in the sentencing of this criminal?
Design and Innovation
Northrop Grumman Cybersecurity Team Wins the DreamPort Rapid Prototyping Competition (Northrop Grumman Newsroom) Northrop Grumman Corporation (NYSE: NOC) fielded an elite team of cybersecurity experts last week at The Chameleon and the Snake competition, winning DreamPort’s first-ever rapid prototyping event. It was held on...
Research and Development
Qubits kept together by shouting at them with microwaves (Ars Technica) Microwaves plus clever tricks make qubits more immune to noise.
The World’s Most Precise Clock Reveals the Nature of Time and the Universe (Motherboard) Physicist Jun Ye built the world’s most precise clock and is part of the group of scientists who changed our understanding of time itself.
Academia
Cranfield University reveals plans for leading research role in autonomous systems and AI (Cranfield University) Cranfield University announces plans for a world-leading Professorship in Autonomous Systems and Artificial Intelligence, sponsored by BAE Systems.
Legislation, Policy, and Regulation
Pence Takes Aim at China (Atlantic Council) US Vice President Mike Pence took direct aim at Beijing in an October 4 speech in which he accused China of “pursuing a comprehensive and coordinated campaign to undermine support for the president, our agenda, and our nation’s most cherished...
Pence says China is trying to undermine Trump because it ‘wants a different American president’ (Washington Post) In a speech, the vice president assailed Beijing’s trade and military strategy and “wholesale theft of American military technology.”
Western Nations Go On the Offensive Against Russian Cyberattacks (Atlantic Council) Atlantic Council’s Ben Nimmo warns: polarization is America’s Achilles’ heel Western governments on October 4 unleashed a torrent of accusations against Russia saying its intelligence agency was responsible for cyberattacks on inquiries into...
Analysis | The Cybersecurity 202: U.S. and allies make coordinated push to 'name and shame' Russian hackers (Washington Post) Meanwhile, Pence focused on China's influence operations.
Midterms Seen As Potential Target of Cyberattacks (Atlantic Council) ‘Our adversaries have demonstrated the capability and will,’ says US Department of Homeland Security Secretary Kirstjen Nielsen The United States’ top cybersecurity officials believe that the midterm elections in November are a potential target of...
Nielsen outlines how US reassessing cyber risk (Fifth Domain) U.S. leaders are changing how they view threats in cyberspace and now expect that a nation state or criminal actor with cyber capabilities will use those tools against the United States, Secretary of Homeland Security Kirstjen Nielsen said Oct. 3 at the Atlantic Council.
Germany’s Position on International Law in Cyberspace (Lawfare) In responding to a series of inquiries from the opposition party, the German government has clarified its position on international law in cyberspace—but questions remain.
New IoT legislation bans shared default passwords (Help Net Security) In an attempt to make it harder for bots to take over the myriad of connected devices sold in California, Governor Jerry Brown signed into law SB-327.
Litigation, Investigation, and Law Enforcement
U.S. indicts Russians in hacking of nuclear company Westinghouse (Reuters) The United States on Thursday charged seven Russian intelligence officers with c...
Democratic ex-staffer contests charges he posted personal data on GOP senators, threatened witness in doxing (Washington Post) U.S. Capitol Police said the investigation continues into the edits to Wikipedia made during the Kavanaugh hearing.
Can we trust digital forensic evidence? (Help Net Security) Research has suggested that more work is needed to show that digital forensic methods are robust enough to stand-up to interrogation in a court of law.
Elon Musk Tweet Mocks the Securities and Exchange Commission (Wall Street Journal) Tweet referencing the ‘Shortseller Enrichment Commission’ comes days after the Tesla chief executive settled with the regulator over fraud charges.